keeper: privileged ui injected into pages (again)

Issue description

I recently created a fresh Windows 10 VM with a pristine image from MSDN, and found that a password manager called "Keeper" is now installed by default. I'm not the only person who has noticed this:
https://www.reddit.com/r/Windows10/comments/6dpj78/keeper_password_manager_comes_preinstalled_now/
I assume this is some bundling deal with Microsoft. I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages ( issue 917 ). Amazingly, they're doing the exact same thing again with this version. I think I'm being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.
Nevertheless, this is (again) a complete compromise of Keeper security, allowing any website to steal any password. Here is a working demo that steals your twitter password:
https://lock.cmpxchg8b.com/keepertest.html
Please consider adding regression tests before releasing an update for this issue, as I do not plan on creating new issues for every piece of UI I can dispatch events to, and attackers will certainly check them all.
This bug is subject to a 90 day disclosure deadline. After 90 days elapseor a patch has been made broadly available, the bug report will becomevisible to the public.

I recently created a fresh Windows 10 VM with a pristine image from MSDN, and found that a password manager called "Keeper" is now installed by default. I'm not the only person who has noticed this:
https://www.reddit.com/r/Windows10/comments/6dpj78/keeper_password_manager_comes_preinstalled_now/
I assume this is some bundling deal with Microsoft. I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages ( issue 917 ). Amazingly, they're doing the exact same thing again with this version. I think I'm being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.
Nevertheless, this is (again) a complete compromise of Keeper security, allowing any website to steal any password. Here is a working demo that steals your twitter password:
https://lock.cmpxchg8b.com/keepertest.html
Please consider adding regression tests before releasing an update for this issue, as I do not plan on creating new issues for every piece of UI I can dispatch events to, and attackers will certainly check them all.
This bug is subject to a 90 day disclosure deadline. After 90 days elapseor a patch has been made broadly available, the bug report will becomevisible to the public.

I recently created a fresh Windows 10 VM with a pristine image from MSDN, and found that a password manager called "Keeper" is now installed by default. I'm not the only person who has noticed this:
https://www.reddit.com/r/Windows10/comments/6dpj78/keeper_password_manager_comes_preinstalled_now/
I assume this is some bundling deal with Microsoft. I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages ( issue 917 ). I checked and, they're doing the same thing again with this version. I think I'm being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.
Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password. Here is a working demo that steals your twitter password:
https://lock.cmpxchg8b.com/keepertest.html
Please consider adding regression tests before releasing an update for this issue.
This bug is subject to a 90 day disclosure deadline. After 90 days elapseor a patch has been made broadly available, the bug report will becomevisible to the public.

Keeper sent me a mail requesting multiple changes to this report, the crux of their concern is that they believe the Keeper browser extension is a separate product to their Keeper desktop application, and believe this report conflates the two products.
The keeper browser extension is installed as part of the default setup flow for the Keeper application, the relevant prompt can be seen in the attached screenshot. Unless a user clicks "Skip" in this dialog, they would be affected by this vulnerability. I stand by my original assessment of this issue, and consider clicking "Skip" here a non-default configuration.
A user must have completed the setup flow to be vulnerable - the existence of the keeper icon in the start menu alone is not sufficient. If a user has clicked the icon and started using Keeper in the default configuration, they would be vulnerable.